LdapLoginModule Search-first nonanonymous search

I got to use the LdapLoginModule http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html together with Microsoft Active Directory in search-first mode, because we got our users in different OUs. AD does not allow anonymous searches.

Is there a possibility to make a non-anonymous search before authenticating or why does the word anonymous stand in braces?

In case which LdapLoginModules are out there allowing for non-anonymous searches?

Kind regards

Christian

UPDATE: To allow a n开发者_Go百科on-anonymous search with an technical account in AD, you have to use another LoginModule. Either you can implement your own, or if you are on JBoss you can use the LdapExtLoginModule. We are on weblogic, thus we used the UsernamePasswordLoginModule from Oracle and configured a realm for the authentication.

Do you know that you can allow anonymous searches (article at the end of the page) in Active-Directory.

To allow a non-anonymous search with an technical account in AD, you have to use another LoginModule. Either you can implement your own, or if you are on JBoss you can use the LdapExtLoginModule. We are on weblogic, thus we used the UsernamePasswordLoginModule from Oracle and configured a realm for the authentication.

I think you have misread the docs. The docs say:

"In search-first mode, the LDAP directory is searched to determine the user's distinguished name and then authentication is attempted. An (anonymous) search is performed using the supplied username in conjunction with a specified search filter. If successful then authentication is attempted using the user's distinguished name and the supplied password."

All its trying to do is determine the users distinguished name. Its NOT to allow you to do anonymous searches.

AD will usually allow anonymous searches for things such as email etc, as its a useful feature, but at the end of the day it all comes down to how the AD was configured.

I don't know anything about LdapLoginModules as I haven't used them, but would have thought that if you are doing anonymous searches, you would NOT need a login module, all you will need is the connection to the directory server.

I know this is an old question. but you could use the stock standard LdapLoginModule to do a authenticated search-first, if you add following lines in the JAAS configuration file to specify a authenticated user to search the active directory

java.naming.security.principal="username"
java.naming.security.credentials="password"

username could be DN of the particular user or mapped username like user@abc.com